Students Develop Techniques to Keep Malware Out of the Electronics Supply Chain

Student Hackers Develop New Design Techniques to Protect Against Vulnerabilities in Vital Components in the Electronics Supply Chain

Security concerns over chips, routers, and other technical equipment coming from China, and through the technology supply chain in general, have been highlighted in government reports and in the media recently.

These fears over tainted hardware stem from the thought that adversaries could have the ability to monitor or control sensitive networks.

Researchers at Polytechnic Institute of New York University (NYU-Poly) and the University of Connecticut hope to address some of these concerns with new techniques designed to protect against malicious manufacturing flaws and vulnerabilities in the electronics supply chain.

Ramesh Karri, an electrical and computer engineering professor at NYU-Poly, explains that most engineers design systems under the assumption that the underlying hardware is trustworthy, an assumption, he says, is false.

According to The White House’s Cyber Policy Review, samples of imported hardware and software have been discovered that have deliberately been infected with spyware and malware before being imported. “The challenge with supply chain attacks is that a sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover,” the report warns.

In May 2010, for example, the FBI seized more than 700 pieces of counterfeit Cisco network hardware and labels with an estimated retail value of more than $143 million. While that scheme was conducted for financial gain, designers of integrated circuits and microchips also need to protect military, financial, transportation and other critical digital infrastructure from malware inserted by intruders with other criminal or military intentions.

According to the FBI, from November 2007 to May 2010, Customs and Border Protection and Immigration and Customs Enforcement made more than 1,300 seizures involving 5.6 million counterfeit semiconductor devices. These semiconductors are used extensively in modern products, including many used in government, military, and aerospace industries. More than 50 seized counterfeit shipments were falsely marked as military or aerospace grade devices.

Karri, along with researchers from the University of Connecticut, have developed new techniques that designers can use to defend against such weaknesses in the supply chain.

Their new "design for trust" techniques add to the established "design for manufacturability" and "design for testability" mantras and build on existing design and testing methods.

One such technique involves ring oscillators, which are sets of odd numbered, inverting logic gates that designers use to ensure an integrated circuit's reliability. Circuits with ring oscillators produce specific frequencies based on the arrangement of ring oscillators. Trojans alter the original design's frequencies and alert testers to a compromised circuit. However, sophisticated criminals could account for the frequency change in their Trojan design and implementation, the researchers warn. Karri and his team suggest designers thwart their tactics by creating more variants of ring oscillator arrangements than criminals can keep track of, making it harder for them to implant a Trojan without testers detecting it.

Unlike microbiologists that often have easy access to sample viruses, Karri and other hardware security researchers cannot study ample real-world Trojans because companies and governments are often reluctant to share infected hardware for reasons of intellectual property, national security or fear of embarrassment. Karri and his colleagues decided to do some crowd sourcing to collect sample Trojans that informed their design-for-trust techniques.

Graduate and undergraduate students from across the country build and detect hardware Trojans for the Embedded Systems Challenge, part of NYU-Poly's annual Cyber Security Awareness Week white-hat hacking competition. Karri and his team analyzed a diverse collection of 58 submissions from the 2008 competition and developed a taxonomy that is helping to standardize metrics for evaluating Trojans.

Crowdsourcing Trojans benefits the team's research and will help guide future researchers and practitioners, according to Jeyavijayan Rajendran, an NYU-Poly electrical and computer engineering doctoral candidate and co-author. Rajendran was the 2009 winner of the Embedded Systems Challenge and has been the student leader of the national challenge since then. In the 2010 competition, Rajendran's 2009-winning defense was successfully attacked. "I went back and studied the vulnerabilities and developed additional techniques to fix them," he says. "The Embedded Systems Challenge changed my research process. Now I am not only thinking from a defender's point of view, but I am also thinking from an attacker's point of view."

Trojans from the Embedded Systems Challenge and the design-for-trust techniques are available on TrustHub.org, a National Science Foundation funded site created to encourage community building and knowledge exchange among hardware security researchers and professionals.

In addition to the NSF, the Air Force Research Laboratory is supporting Karri and his team's research at NYU-Poly. The final rounds of the 2011 NYU-Poly CSAW challenges will be held Nov. 9 - 11, 2011, in Brooklyn. More information is available here.